Tentang_COBIT

8/10/2019 Tentang_COBIT

1/51

1

Presented by

Marmah Hadi

Sekolah Tinggi Akuntansi Negara&

Institute of Information System Audit Studies

COBIT

Control Objectives for Information and related Technology


2/51


3/51

3

COBIT-FrameworkGovernance, Control andAudit forInformation andRelated Technology

Introduction to COBIT 2nd edition

- Elements

- Source standards and regulations

- The framework

How to put COBIT to effective use

- Comparison of COBIT with other methods

- COBIT - a product for many audiences

- Some ideas and case studies

Summary


4/51

4

Technology,

Control & Governance

Technology makes new business

processes possible leading to loss of

control and more regulation

Developments in IT and businesspractices make corporate governance

more difficult

Officers and management will be held

accountable Already major changes have occurred

but pressure to continue to change

remains


5/51

5

Responsibility for Control

Committee for Sponsoring Organisations (COSO)

In order to discharge managements responsibilities as well as to achieve its

objectives, they must establish an adequate system of internal control. This

control system or framework must be in place to support business

requirements for effectiveness and efficiency of operations, reliability of

information and compliance with laws and regulations.

National Institute for Standards and Technology

While computer security helps manage risks, it does not eliminate it. In

addition, the exact level of risk can never be known since there is always

some degree of uncertainty. Ultimately, management must decide on the

level of risk it is willing to accept. Judging what level can be tolerated,

particularly when weighed against the cost, can be a difficult management

decision.


6/51

6

ControlThe policies, procedures, practices and

organisational structures designed to

provide reasonable assurance that

business objectives will be achieved and

that undesired events will be prevented or

detected and corrected.

IT Control Objective

A statement of the desired result or

purpose to be achieved by implementingcontrol procedures in a particular IT

activity.

Definitions


7/51

7

The Five Elements of COBIT- a first look at all the components

Executive Summary senior executives (CEO, CIO)

There is a method...

Framework senior operational management

The method is...

Control Objectives middle management

Minimum controls are...

Audit Guidelines line management, controls practitioner

Heres how you audit... Implementation Tool Set director, middle management

Heres how you implement...


8/51

8

Standards and RegulationsCOBIT includes 36 national and international standards

Codes of conductissued by

Council of Europe, OECD,

ISACA, etc.

Qualification criteriafor IT

systems and processes: ITSEC,

TCSEC, ISO 9000, SPICE,TickIT, Common Criteria, etc.

Professional standardsin

internal control and auditing:

COSO Report, IFAC, AICPA,

IIA, ISACA, PCIE, GAOstandards, etc.

Industry practicesand

requirements from industry

forums (ESF, I4) and

government-sponsored platforms

(IBAG, NIST, DTI), etc.

Technical standardsfrom ISO,EDIFACT, etc.

Emerging industry-specific

requirementssuch as from

banking, electroniccommerce

and IT manufacturing


9/51

9

The Frameworks Principles

Linking the managements IT expectations

with the managements IT responsibilities


10/51

10

effectiveness- deals with information being relevant and pertinent to the business processas well as being delivered in a timely, correct, consistent and usable manner.

efficiency- concerns the provision of information through the optimal (most productive andeconomical) usage of resources.

confidentiality- concerns protection of sensitive information from unauthorized disclosure.

integrity- relates to the accuracy and completeness of information as well as to its validity inaccordance with the business' set of values and expectations.

availability- relates to information being available when required by the business process,and hence also concerns the safeguarding of resources.

compliance- deals with complying with those laws, regulations and contractual

arrangements to which the business process is subject; i.e., externally imposed businesscriteria.

reliabilityof information - relates to systems providing management with appropriateinformation for it to use in operating the entity, in providing financial reporting to users of the

financial information, and in providing information to report to regulatory bodies with regard

to compliance with laws and regulations.

Quality

Fiduciary

Security

Business Requirements= Information Criteria

IT Processes

BusinessRequirements

IT Resources


11/51

11


IT Processes

IT Resources

IT Resources

Data :Data objects in their widest sense, i.e., external and

internal, structured and non-structured, graphics, sound, etc.

Application Systems : understood to be the sum of manual andprogrammed procedures.

Technology :covers hardware, operating systems, database

management systems, networking, multimedia, etc..

Facilities :Resources to house and support information

systems. People :Staff skills, awareness and productivity to plan,

organise, acquire, deliver, support and monitor information

systems and services.


12/51

12

Domains

Processes

Activities

ITResources


ITProcesses

IT Domains & Processes

Natural grouping of processes, often matching

an organisational domain of responsibility.

A series of joined activities with natural

(control) breaks.

Actions needed to achieve a measurable result.

Activities have a life-cycle whereas tasks are

discreet.


13/51


14/51

14

* Realization of IT strategy*Solutions identified, developed, or acquired and implemented

*Solutions integrated into business process*Change and maintenance of systems

IT Domain

Acquisition & Implementation

AI 1 Identify Solutions

AI 2 Acquire and Maintain Application Software

AI 3 Acquire and Maintain Technology Architecture

AI 4 Develop and Maintain IT Procedures

AI 5 Install and Accredit SystemsAI 6 Manage Changes


15/51

15

*Actual delivery of required services

*Actual operations through security including training

*Establishment of support processes

*Actual processing of data by applications

IT Domain

Delivery and Support

DS 1 Define Service Levels

DS 2 Manage Third-Party Services

DS 3 Manage Performance and Capacity

DS 4 Ensure Continuous Service

DS 5 Ensure Systems SecurityDS 6 Identify and Attribute Costs

DS 7 Educate and Train Users

DS 8 Assist and Advise IT Customers

DS 9 Manage the Configuration

DS 10 Manage Problems and Incidents

DS 11 Manage Data

DS 12 Manage Facilities

DS 13 Manage Operations


16/51

16

* Regular assessment of all IT processes

*Compliance with and quality of controls

IT Domain

Monitoring

M 1 Monitor the Processes

M 2 Assess Internal Control Adequacy

M 3 Obtain Independent Assurance

M 4 Provide for Independent Audit


17/51

17

ControlStatements

ControlPractices

is enabled by

and considers

IT Processes

The control of

Business

Requirements

which satisfy

SS PP

Planning &

Delivery &

Organisation

Support

Monitoring

Acquisition &

Implementation

AnExampleofanITProc

ess

COBITs Navigation Aidslinking process, resource & criteria


18/51

18

Control over the IT process ofENSURING SYSTEMS SECURITY DS-5

that satisfies the business requirement

to safeguard information against unauthorised use, disclosure or

modification, damage or loss

is enabled byLogical access controls which ensure that access to

systems, data and programs is restricted to authorised users

and takes into consideration:authorisation & authentication

User profiles and identification

trusted path, firewallsvirus prevention and detection

cryptographic key management

incident handling, reporting and follow up

AnExample

ofanITProcess

Linking the Processesto control objectives

SS PP


19/51

19

Typical ExampleDomain Delivery & Support

5.1 Manage Security Measures

5.2 Identification, Authentication and Access

5.3 Security of Online Access to Data

5.4 User Account Management

5.5 Management Review of User Accounts

5.6 User Control of User Accounts

5.7 Security Surveillance

5.8 Data Classification

5.9 Central Identification and Access Rights

Management5.10 Violation and Security Activity Reports

5.11 Incident Handling

5.12 Re-Accreditation

5.13 Counterparty Trust

5.14 Transaction Authorisation

5.15 Non-Repudiation

5.16 Trusted Path

5.17 Protection of Security Functions5.18 Cryptographic Key Management

5.19 Malicious Software Prevention, Detection

and Correction

5.20 Firewall Architectures and Connections

with Public Networks

5.21 Protection of Electronic Value

Control Objectives

DS 5.10 Violation and Security Activity Reports:

The information services functions security

administration should assure that violation and

security activity is logged, reported, reviewed and

appropriately escalated on a regular basis to

identify and resolve incidents involving

unauthorised activity.

The logical access to the computer resources

accountability information (security and other

logs) should be granted based upon the principle

of least privilege, or need to know.

Process Ensuring System Security


20/51

20

PO 1 Define a Strategic IT Plan

PO 2 Define the Information Architecture

PO 3 Determine the Technological Direction

PO 4 Define the IT Organisation and Relationships

PO 5 Manage the IT Investment

PO 6 Communicate Management Aims and Direction

PO 7 Manage Human Resources

PO 8 Ensure Compliance with External Requirements

PO 9 Assess Risks

PO 10 Manage ProjectsPO 11 Manage Quality

AI 1 Identify Solutions

AI 2 Acquire and Maintain Application Software

AI 3 Acquire and Maintain Technology Architecture

AI 4 Develop and Maintain IT Procedures

AI 5 Install and Accredit Systems

AI 6 Manage Changes

DS 1 Define Service Levels

DS 2 Manage Third-Party Services

DS 3 Manage Performance and Capacity

DS 4 Ensure Continuous Service

DS 5 Ensure Systems Security

DS 6 Identify and Attribute Costs

DS 7 Educate and Train Users

DS 8 Assist and Advise IT Customers

DS 9 Manage the Configuration

DS 10 Manage Problems and Incidents

DS 11 Manage Data

DS 12 Manage Facilities

DS 13 Manage Operations

M 1 Monitor the Processes

M 2 Assess Internal Control Adequacy

M 3 Obtain Independent Assurance

M 4 Provide for Independent Audit

Business Processes

IT Resources

information criteria effectivene ss efficiency confide ntiality

integrity availability compliance reliability

Monitoring

Delivery &Support

Acquisition &Implementation

Planing &Organisation

data applications

technology facilite s people


21/51

21

What COBIT Is Used ForSurvey ISACA Switzerland Chapter 1997/98

Comparison of 4 methods

COBIT (1st ed)

Code of Practice (BS7799)

BSI Grundschutzhandbuch 1997

Marion

What they are used for

Which method is used and how often

Requirements for a good method


22/51

22

CobiT

27%

59%

7%7%

Risk Anal ysis

Audit

Sec. Poli cy

Sec. Handbook

COBIT in ComparisonSurvey ISACA Switzerland Chapter 1997/98

Code of Practice

23%

18%

36%

23%

Risikoanalyse

Revision

Sich.konzept

Sich.handbuch


23/51

23

Criteria for ComparisonSurvey ISACA Switzerland Chapter 1997/98

Standardisat ion

Independence

Certi f ication

Practicabil i ty

Ad aptabi l i ty

Range (Scope)

Presentation of results

Eff ic iency

Top ical ity

Ease of use


24/51

24

Code of Practice

0,00

1,00

2,00

3,00

4,00

Standardisation

Independence

Certification

Practicability

Adaptabi lit y

Range (Scope)

Presentation

Efficiency

Topicality

Ease of use


CobiT

0,00

1,00

2,00

3,00

4,00

Standardisation

Independence

Certification

Practicability

Adaptabi l ity

Range (Scope)

Presentation

Efficiency

Topicality

Ease of use

COBIT

CoP


25/51

25


C o d e o f P r a c t i c e

(BS7799)

COBIT ( 1 s t e d , 1 9 9 6 )Marion Gru ndschutzhandbuch

(1997)

preferred uses primary: security policy;

v e r y f r e q u e n t f o r a l l u s

audit risk analysis,

security policy

security policy,

securit y handbook

l e s s u s e d f o r- security policy,

security handbook

audit,

securit y handbook

risk analysis,

audit

strengths independence

standardisat ion

certification

independence

standardisation

p r e s e n t a t i o nindependence

adaptability

topicality

weaknesses p r e s e n t a t i o n o f r e s u l t sp r e s e n t a t i o n o f r e

ease of use

cert ification p r e s e n

rating

( 1 = b a d , ,

4 = i d e a l )

r a t h e r h i g h ( 3 . 0 )r a t h e r h i g h ( 3 . 0 )medium (2.5) r a t h e r

re mark s C o P i s f o c u s s e d o n

i n f o r m a t i o n s e c u r i t y a n d

i s t h e r e f o r e u s e d a s a

basis for informat ion

s e c u r i t y p o l i c i e s ( f o r e -

most in Europe).

Apart from security

COBIT c o v e r s q u a l i t y

r e l i a b i l i t y ; s t i l l

k n o w n o u t s i d e t h e

world.

M a r i o n i s n o

frequent ly outside

F r a n c e ; i n S

M a r i o n i s u s

risk analysis.

I s u s e

r e f e r e

s e l e c t

mentation of security

m e a s u r

r i s k a


26/51

26

Official COBIT SurveyISACA`s survey results, presented July 1998 Brussels

Objectives:

reasons for (not) adopting COBIT

differences between users and non-users

Survey mailed to 5,315 purchasers 429 usable responses (8.1% response rate)

Lots of questions

Region, certification, industry, people

employed, control methodologies, reasons for

purchasing,


27/51

27

Official COBIT SurveyISACA`s survey results, presented July 1998 Brussels

Interesting results

59% of respondents were COBIT users

COBIT was purchased primarily to improve audit

approaches and programs

Size of internal audit staff correlates to COBIT use

CISAs are more likely to adopt COBIT

4 out of 5 adopters use COBIT with little or no

modification

Users agree that COBIT is the best published set of

control guidelines for IT


28/51

28

Why Should an Organisation

Adopt COBIT?

Attention on Corporate Governance

Management accountability for resources

Specific need for control of IT resources Business oriented solutions

Framework for risk assessment

Authoritative basis

Improved communication among management,

users and auditors


29/51

29

A Product For Many Audiences

Executive manager

Business manager

IT manager

Project manager

Developer

Operations

User Information security officer

Auditor


30/51

30

COBIT for the Executive Manager

COBIT could serve

the following Some specific approaches

objectives for you which could prove useful...

Accept and promote Use COBIT to compliment

COBIT as general IT existing internal control

governance model framework

for all enterprises

within enterprise Use COBIT process model

to establish common

language between business

and IT; allocate clear

responsibilities


31/51

31

RISK Who Does It?Importance = How important for the organisation on a scale from 1 (not at all) to 5 (very)

Performance = How well is it done from 1 (dont know or badly)

to 5 (very well)

Audited = Yes, No or ?

Formality = Is there a contract, SLA, or a clearly documented

Procedure? (Yes, No or ?)

Accountable =Name or dont know

Importance

Performance

COBITs Domains and Processes

IT

Other

Outside

DontKnow

Audited

Formality

Who is Accountable?

Plannin & Or anisationPO1 Define a Strategic IT Plan

PO2 Define the Information Architecture

PO3 Determine the Technological Direction

PO4 Define the IT Organisation and Relationships

PO5 Manage the IT Investment

PO6 Communicate Management Aims and Direction

PO7 Manage Human Resources

PO8 Ensure Compliance with External Requirements

PO9 Assess Risks

PO10 Manage Projects

PO11 Manage Quality

Acquisition & ImplementationAI1 Identify Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology ArchitectureAI4 Develop and Maintain IT Procedures

AI5 Install and Accredit Systems

AI6 Manage Changes

Deliver & Su ortDS1 Define Service Levels

DS2 Manage Third-Party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure System Security

DS6 Identify and Attribute Costs

DS7 Educate and Train Users

DS8 Assist and Advise IT Customers

DS9 Manage the Configuration

DS10 Manage Problems and Incidents

DS11 Manage Data

DS12 Manage Facilities

DS13 Manage Operations

MonitorinM1 Monitor the Processes

M2 Assess Internal Control Adequacy

M3 Obtain Independent Assurance

M4 Provide for Independent Audit

COBIT for the Executive Manager

IT Governance Self-Assessment


32/51

32

COBIT for the Business Manager

COBIT could serve



Use COBIT to establish Use COBIT control objectives

a common entity-wide as a code of good practice

model to manage and for dealing with IT within the

monitor ITs contribution business function

to the business

Use COBIT control objectives

to determine needs to be

covered by Service Level

Agreements (internal or

outsourced)


33/51

33

COBIT for the Business Manager

Managements IT Concerns Diagnostic

Technology Concerns to Management (Gartner Group) Management Internet / IntranetEnterprise Packaged

SolutionsClient/Server Architecture

Workgroups and

GroupWareNetwork Management

RISKFACTORS

ITinitiativesinline

withbusinessstrategy

ITpoliciesandcorporate

governance

UtilisingITfor

competitiveadvantage

ConsolidatingtheIT

infrastructure

Reducingcostof

ITownership

Acquiringanddeveloping

skills

Unauthorisedaccess

tocorporatenetwork

Unauthorisedaccessto

confidentialmessages

Loss

ofintegrity

corporatetransactions

Leakageof

confidentialdata

Interruptiontoservice

availability

VirusInfection

Failuretomeetuser

requirements

Failuretointegrate

Notcompatiblewith

technicalinfrastructure

Vendorsupport

problems

Expensive/complex

implementation

Failuretocoordinate

requirements

Accesscontrolproblems

Notcompatiblewith

technicalinfrastructure

Endusermanagement

problems

Controlofsoftware

versions

Highcostsofownership

Qualitycontrol

Accesscontrol

Informalprocedures

Dataintegrity

Configurationcontrol

Availability

Security

Configurationcontrol

Incidentmanagement

Costs

Supportand

maintenance

LANNING RGANISATIONPO1 Define a Strategic IT Plan



PO4 Define the IT Oranisation and Relationships

PO5 Manage the Investment in IT




PO9 Assess Risks


PO11 Manage Quality

ACQUISITION & IMPLEMENTATIONAI1 Identify Solutions

AI2 Acquire and Maintain Application Software

AI3 Acquire and Maintain Technology Architecture

AI4 Develop and Maintain IT Procedures

AI5 Install and Accredit Systems

AI6 Manage Changes

DELIVERY & SUPPORTDS1 Define Service Levels


DS3 Manage Performance and Capacity


DS5 Ensure Systems Security

DS6 Identify and Attribute Costs

DS7 Educate and Train Users

DS8 Assist and Advise IT Customers


DS10 Manage Problems and Incidents

DS11 Manage Data



MONITORINGM1 Monitor the Processes

M2 Assess Internal Control Adequacy




34/51

34

COBIT for the IT Manager

COBIT could servethe following Some specific approaches


Use the COBIT process Use the COBIT control model to

model and detailed establish SLAs and communicate

control objectives to with business functions

structure IT services

function into manageable Use the COBIT control model as

and controllable basis for process-related

processes focussing on performance measures and IT-related

business contribution policies and norms

Use COBIT as baseline model to

establish the appropriate level of

control objectives and external

certifications


35/51

35

COBIT for the IT Manager

Define SLAs


36/51

36

COBIT for the Project Manager



As a general framework Use COBIT to help ensure that

for minimal project and project plans incorporate

quality assurance generally accepted phases in

Standards IT planning, acquisition and

development, service delivery

and project management, and

assessment


37/51

37

COBIT for the Project Manager

Internal Controls Built Into System


38/51

38

COBIT for the Developer



As minimal guidance Use COBIT to ensure that all

for controls to be applied applicable IT control objectives

within development in the development project

processes as well as for have been addressed

internal control to be

integrated in information

systems being built

IT Process Information Criteria IT Resources

X effectiveness


39/51

39

X efficiency

X confidentiality

X integrity

X availability

X compliance

X reliability

X people

X applications

X technology

X facilities

X dataPO1 D e f i n e a S t r a t e g i c I n f o r P S

PO2 D e f i n e t h e I n f o r m a t i o nP S S S

PO3 D e t e r m i n e T e c h n o l o g i c aP S

PO4 D e f i n e t h e I T O r g a n i s a t iP S

PO5 M a n a g e t h e I n v e s t m e n t i nP P S

PO6 C o m m u n i c a t e M a n a g e m e n tP S

PO7 Manage Human Resources P P

PO8 E n s u r e C o m p l i a n c e w i t h EP P S

PO9 Assess Risks S S P P P S S

PO10 Manage Project s P P

PO11 Manage Quality P P P S

AI1 Identify Solut ions P S

AI2 A c q u i r e a n d M a i n t a i n A pP P S S S

AI3 A c q u i r e a n d M a i n t a i n T e cP P S

AI4 D e v e l o p a n d M a i n t a i n I TP P S S S

AI5 I n s t a l l a n d A c c r e d i t SP S S

AI6 Managing Changes P P P P S

DS1 Define Service Levels P P S S S S S

DS2 Manage Third-Party Services P P S S S S S

DS3 M a n a g e P e r f o r m a n c e a n dP P S

DS4 Ensure Cont inuous Service P S P

DS5 E n s u r e S y s t e m s S e c u r i tP P S S S

DS6 I d e n t i f y a n d A l l o c a t eP P

DS7 E d u c a t e a n d T r a i n U s eP S

DS8 A s s i s t i n g a n d A d v i s i n gP

DS9 M a n a g e t h e C o n f i g u r a tP S S

DS10 M a n a g e P r o b l e m s a n d I nP S

DS11 Manage Data P P

DS12 Manage Facilities P P

DS13 Manage Operat ions P P S S

M1 Monitor the Process P S S S S S S

M2 A s s e s s I n t e r n a l C o n t r o lP P S S S S S

M3 O b t a i n I n d e p e n d e n t A s sP P S S S S S

M4 P r o v i d e f o r I n d e p e n d e tP P S S S S S

P = p r i m a r y c

S = s e c o n d a r y = c o

COBIT for the Developer

Select Appropriate Controls


40/51

40

COBIT for Operations



As general framework Use COBIT to ensure that

for minimal controls to operational policies and

be integrated into service procedures are sufficiently

delivery and support comprehensive

processes, placing clear

focus on client objectives


41/51

41

COBIT for Users

COBIT could serve



As minimal guidance Use COBIT to guide service

for internal control to level agreementsbe integrated within

information systems,

being fully operational

or under development


42/51

42

COBIT for the Security Officer



As harmonising frame- Use COBIT to structure the

work providing a way information security program,

to integrate information policies and procedures

security with other

business related IT

objectives


43/51

43

COBIT for the Security

Officer

Assess yourRisks


44/51

44

COBIT for Auditors



As basis for determining Use COBIT as criteria for review

the IT audit universe and review and examination, and for

as IT control reference framing IT-related audits

The objectives of auditing are to:

provide management with reasonable assurancethat control objectives are being met;

where there are significant control weaknesses,

to substantiate the resulting risks; and

advise management on corrective actions.


45/51

45

In Prior Prior Audit DispositionScope Opinion of Findings

Yes

No

IT Process Unqualified

Qualified

Adverse

Disclaimer

MaterialWeaknesse

s

Findings

Resolved

Unresolved

N/A

NotDetermined

PO1 Define a Strategic IT plan



PO4 Define IT Organization and Relationships

PO5 Manage the Investment




PO9 Assess Risks


PO11 Manage Quality

AI1 Identify Automated Solutions

AI2 Acquire & Maintain Application Software

AI3 Acquire & Maintain Technology Architecture

AI4 Develop & Maintain Procedures

AI5 Install & Accredit System

AI6 Manage Changes

DS1 Define Service Llevels


DS3 Manage Performance & Capacity


DS5 Ensure System Security

DS6 Identify & Allocate Costs

DS7 Educate & Train Users

DS8 Assist & Advise Customers


DS10 Manage Problems & Incidents

DS11 Manage Data



M1 Monitor the Processes

M2 Obtain independent assurance



Insert the number of findings if there is more than

one per process category and then reflect the

appropriate number under each column.

Prior Audit Work Form


46/51

46

COBIT for Auditors

Audit Guidelines

The process is audited by:

Obtaining an understanding

of business requirements,

related risks, and relevant control measures

Evaluating the appropriateness

of stated controls Assessing compliance

by testing whether the stated

controls are working as prescribed, consistently and

continuously

Substantiating the risk

of the control objectives not

being met by using analytical techniques and/or

consulting alternative sources.


47/51

47

COBIT for Auditors

Generic Audit Guideline

Gain an understanding of:

Business requirements

Organisation structure

Roles and responsibilities

Policies and procedures

Laws and regulations

Control measures in place

Evaluate the controls

Documented processes

Appropriate deliverables

Responsibility/accountability

Compensating controls

Assess compliance

procedures

process deliverables

Determine level of testing

provide assurance that the IT

process is adequate

Substantiate the risk

control weaknesses

actual and potential impact


48/51

48

Who needs COBIT ?

Management needs COBIT

to evaluate IT investment decisions

to balance risk and control of investment in an often

unpredictable IT environment

to benchmark existing and future IT environment

Users need COBIT

to obtain assurance on security and controls of products

and services provided by internal and third-parties.

IS auditors need COBIT

to substantiate opinions to management on internal

controls

to answer the question: What minimum controls are

necessary?


49/51

49

Assessment of COBITSurvey ISACA Switzerland Chapter 1997/98

Usefulfor

IT audits

Setting targets for IT Comprehensive

For specific topics

Awareness

Business and IT management

Partlyuseful for

Health-check & risk-assessment

Not useful for

Detailed security policies

Choosing controls

Quick&dirty-approaches

Assessment of business

related risks


50/51

50

Pros & Cons

A package for every possible target group Executive, business and IT manager, user

Project manager, developer, operations

Information security officer, auditor

Well structured, comprehensive, precise

Nationally and internationally accepted

Very complete package

Executive SummaryThere is a method...

FrameworkThe method is...

Control ObjectivesMinimum controls are... Audit GuidelinesHeres how you audit...

Implementation Tool SetHeres how you implement...

CD with Info-DB

Needs a big starting effort

Has reputation of an audit

standard

No control self assessment


51/51

Putting it all togethernever go without your COBIT

Business Processes

IT Resources

information crite ria effectiveness efficiency confide ntiality integrity availability compliance

reliability

Monitoring

Delivery &Support

Acquisition &Implementation

Planing &Organisation

data applications technology facilites people

Dontconcentrate on details

Dont use all those gadgets

Forget about do-it-yourself

only a comprehensive

planning, acquisition,

delivery and support of all IT

resources will guarantee your

success.

Tentang_COBIT

Documents

Transcript of Tentang_COBIT